HP UX Security Products and Features Software manual Wlisyspolicy -s mode=maintenance -k adminkey

Page 40

For a WLI database archive to be internally consistent, the archive must contain all files residing under /etc/wli. These files must not have any intervening updates.

The database is updated through the wliadm, wlicert, wlisys, and wlisyspolicy commands. The database can be restored from archive only with WLI security mode set as maintenance. The security mode is cached within kernel space, not read from the database. The security mode in effect can only be determined by:

%wlisyspolicy -g

To switch to maintenance mode:

%wlisyspolicy -s mode=maintenance -k <admin_key>

The command might return a message that a reboot is necessary. Following reboot, query once more with wlisyspolicy to verify maintenance mode is in effect.

To restore the WLI database from archive:

%su root

#rm -r /etc/wli

If deletion fails for any file, reboot the system with a kernel that does not contain WLI.

#tar -xf /tmp/wlikeydb.tar

Or use an equivalent archive restore operation.

If the WLI database has been severely damaged, switching to maintenance mode might not be possible. To maintain the highest possible security, the security mode defaults to restricted if the initialization value cannot be read from the WLI database.

If the system cannot be switched to maintenance mode using wlisyspolicy, a kernel must be booted that does not contain the WLI components.

To rebuild the kernel without wli:

#kcmodule wli=unused

#shutdown -r

Following reboot, all WLI file access policies and resource protections are disabled. After restoring the WLI database, the WLI kernel can be rebuilt and rebooted:

#kcmodule wli=static

#shutdown -r

40 Troubleshooting and known issues

Image 40

Contents HP-UX Whitelisting A.01.00 Administrator Guide Copyright 2010 Hewlett-Packard Development Company, L.P Table of Contents HP Serviceguard considerations Glossary Index List of Figures List of Examples Page File access policies Security featuresFile lock access controls Identity-based access controls Capabilities4 api Page Product overview WLI architectureCommands Application APIApplications WLI database WLI metadata files3 .$WLISIGNATURE$ Page Key usage Generating keysAdministrator keys User keysInstallation requirements Installing, removing, and upgradingInstalling WLI Removing WLI Upgrading WLI Page Authorizing the recovery key ConfiguringAuthorizing administrator keys Signing DLKMs Backing up the WLI databaseRebooting to restricted mode Page Signing an executable binary Enhancing security with WLICreating a Flac policy Enabling DLKMs to load during boot Removing a file access policyCreating an Ibac policy # wlisign -a -k /home/admin1/adminpriv /usr/conf/mod/ciss Wlisign -a -k adminpriv /usr/sbin/kcmoduleLoading unsigned DLKMs # kcmodule ciss=unusedPage Overview Backup and restore considerationsWLI database files Policy protected and metadata files Write protectedRead/write protected files RecommendationsIbac policies Flac policiesMetadata files Page Administration HP Serviceguard considerationsWLI database Policy protected files Troubleshooting and known issues Software distributor issuesWLI reinstallation Lost WLI administrator key or passphraseWlisyspolicy -s mode=maintenance -k adminkey Su root # rm -r /etc/wli# tar -xf /tmp/wlikeydb.tar # kcmodule wli=unused # shutdown -rContacting HP Support and other resourcesRelated information Websites Typographic conventionsUser input Times Page # make clean Instructions# make all # su wliusr1Flac add and delete program Ibac add and delete programIbac add and delete program Page Administration examples Wlicert -s -c wli.admin1 -o wmd -k adm1.pvt Su root # wlisign -a -k adm1.pvt /usr/bin/tarTar -vtf tartest.tar Bdf mydirCat /tmp/.$WLIFSPARMS$ Wlisys -k adm1.pvt -s wmdstoretype=pseudoBpbackup -f backuplist Bprestore -f backuplistQuick setup examples Configuring WLIAuthorizing an administrator key Authorizing a user keyTesting a Flac policy Flac policiesCreating a Flac policy Enabling a Flac policyIbac policies Disabling an Ibac policy Removing an Ibac policyGlossary ASMPage Symbols IndexIndex